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Wiesner's quantum money [§j is a simple, information-theoretically secure quantum cryptographic 
protocol. In his protocol, a mint issues quantum bills and anyone can query the mint to authenticate 
a bill. If the mint returns bogus bills when it is asked to authenticate them, then the protocol can 
be broken in linear time. 
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INTRODUCTION 

o: - 

t-H ■ In [5J], Wiesner proposed a protocol for information-theoretically secure private-key quantum money. A mint can 
choose a security parameter n and generate a random n-qubit state. (Each qubit is independently and uniformly 
drawn from {|0), |1), |+), |— )}.) The mint assigns that state a unique serial number and declares it to be a $20 
quantum bill. (The $20 is arbitrary.) To verify a quantum bill, a merchant sends the bill to back to the mint. The 
mint looks up the classical description of the state matching the serial number of the bill and projects the quantum 
state being tested onto that state. A "VALID" result (the state being tested matched the description) means that the 
bill is valid and an "INVALID" result means that the bill was counterfeit or damaged. (The mint needs to maintain 
' a secret database of the description of the random state corresponding to each serial number.) 

This protocol is information-theoretically secure. The no-cloning theorem implies that an attacker cannot perfectly 
copy a quantum bill, and the bounds in [l| mean that the probability that an approximate copy appears valid drop 
■i—i ■ exponentially as a function of n. 

There are many recent papers based on the idea of attacking otherwise secure classical cryptographic protocols 
by various side channels or online attacks. For example, in 2002, Vaudenay showed that a commonly used form 
ijy of symmetric cipher (CBC mode encryption) can be attacked with a small number of queries to an oracle that 
distinguishes valid encrypted messages from invalid messages with a certain type of error Rizzo and Duong 
dramatically showed that these attacks worked against carelessly designed websites and that many current websites 
are vulnerable 

^sD \ Inspired by Rizzo and Duong's result, I show that, even if the mint has a perfect quantum computer, Wiesner's 
i quantum money is vulnerable to an online attack. If, when asked to verify any bill, the mint returns the bill even if 
that bill was invalid, then a small number of queries to the mint can be used to copy a bill. 
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1 THE ATTACK 
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• • , For Wiesner's quantum money to be useful, the mint must offer a service that anyone can use to verify quantum 
bills. Morris (presumably a merchant) sends the mint a quantum bill. The mint either answers VALID and returns 
the bill to Morris or answers INVALID. In the INVALID case, if the mint destroys the counterfeit bill, then all is 
well. If, on the other hand, the mint returns the counterfeit bill to Morris, then the entire protocol can be broken in 

5^ , linear time. 

We can formalize the quantum bill as a classical-quantum state (s, |$ s )) where s is some unique classical serial 
number and |$ s ) is the random product state chosen by the mint that corresponds to the serial number s. We can 
write 

|$ s ) = |Vl)|^ 2 )...|Vn), 

where each depends on s and is drawn from {|0), |1), |+), |— )}. This means that each \ipi) is an eigenstate of either 
X or Z. (Morris does not know which operator each \ipi) is an eigenstate of.) We assume that Morris can send the 
mint any c-q state (s, \4>)) and the mint will measure the projector P s = |$ s )($ s |. If the outcome is 1, the mint returns 
(VALID, s,P s \4>)) and if the outcome is 0, the mint returns (INVALID, s, (1 — P s ) \(p}) (up to normalization). 

If Carla the counterfeiter has a single quantum bill (s, |$ s )) and can query the mint, then she can break the protocol 
by learning the state \$ s ) one qubit at a time. To learn the ith qubit, she sends the mint the state (s,Xj|$ s )). If the 
mint answers INVALID, then the state \ipi) was either |0) or |1) (as the other possibilities |+) and — ) are eigenstates 
of Xi). In this case, the returned state is 

' ■ ■ 1^-1)1^)1^+1) ' • ' |^n)- 
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But now Carla knows that |^) is an eigenstate of Z. She applies Xj to recover and measures in the Z basis 
to learn whether it is |0) or |1). 

If, on the other hand, the mint answers VALID, then the state \tpi) was either |— ) or |+). In this case the mint 
returns the (undamaged) state |$ s ) to Carla. But now Carla knows that \ipi) is an eigenstate of X and she can measure 
it to learn whether it is |+) or |— ). 

If Carla repeats this process for i = 1, . . . ,n, she will learn the secret description of \$ s ) in exactly n queries to the 
mint. Once she has done this, she can make as many counterfeit copies of \% s ) as she wants. 

Carla could also use a more generic algorithm such as quantum state restoration to copy the state directly in 2n 
(expected) queries to the mint or single-copy tomography to learn the state in O (n) queries Q • 

CONCLUSION 

Anyone who implements classical cryptographic protocols needs to be very careful to avoid introducing flaws that 
bypass the security that the protocol would have offered if correctly implemented. Quantum cryptography is not 
magically safer. 
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